# # SCAN OF THE WEEK #5: 7 August - 14 August # # Weekly contest to see who can determine which tool # was used for this scan. Signatures captured here # using snort (http://www.snort.org). # # The following signatures were captured in the wild. A site # is being hit on the same TCP port with differrent TCP flags. QUESTION -------- 1. What is the purpose of these packets? ANSWER ------ Its the OS Fingerprinting Tool, Queso From: Toby Miller It looks like queso. If you look at the SYN packets there are two that set the reserved bits along with the the SYN flag. I am writing a paper on hping2,nmap and queso and how to identify them in the wild. From my research I have discovered the following about queso and the packets it sends out: QUESO sends out SYN's = 4 (2 of which set the reserved bits(13th byte of the tcp header) SYN | ACK = 2 P = 2 SYN | FIN =2 FIN = 2 FIN | ACK = 2 Hopefully this helps, SCAN: ----- Check this port scan out. The guy is looking for open ftp ports (21) on only two systems. What makes this scanning technique so unique is that the tool tries a variety of different packet methods. For example, the first system he scans is .107 on port 21. He tries the following packet combos. SYN/ACK SYN FIN FIN/ACK SYN/FYN PSH then repeat for system .101 on the same port, 21 07/19-08:28:04.572211 212.171.169.46:13921 -> 172.16.1.107:21 TCP TTL:239 TOS:0x0 ID:45258 **S***A* Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 7F 40 00 00 00 00 .@.... 07/19-08:28:04.580347 212.171.169.46:13920 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45257 **S***** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 4B 85 70 36 1D 0C K.p6.. 07/19-08:28:04.594902 212.171.169.46:13922 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45259 ***F**** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 30 FD 70 20 22 10 0.p ". 07/19-08:28:04.615347 212.171.169.46:13923 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45260 ***F**A* Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 1B 8E 70 8D 68 6D ..p.hm 07/19-08:28:04.633463 212.171.169.46:13924 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45261 **SF**** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 51 D9 70 82 22 C6 Q.p.". 07/19-08:28:04.655593 212.171.169.46:13925 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45262 *****P** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 CF C4 70 83 A1 88 ..p... 07/19-08:28:04.674717 212.171.169.46:13926 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45263 21S***** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 07 91 70 13 72 1A ..p.r. 07/19-08:28:07.564938 212.171.169.46:25218 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56555 **S***** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 6A C0 00 00 00 00 j..... 07/19-08:28:07.575469 212.171.169.46:25219 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56556 **S***A* Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 69 FE 9A 39 1A EE i..9.. 07/19-08:28:07.593808 212.171.169.46:25220 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56557 ***F**** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 92 D9 9A 64 D6 C2 ...d.. 07/19-08:28:07.615849 212.171.169.46:25221 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56558 ***F**A* Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 16 D2 9A 89 7C 9B ....|. 07/19-08:28:07.634785 212.171.169.46:25222 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56559 **SF**** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 75 44 9A 18 8D 07 uD.... 07/19-08:28:07.655469 212.171.169.46:25223 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56560 *****P** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 5E E0 9A 18 5E 11 ^...^. 07/19-08:28:07.674845 212.171.169.46:25224 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56561 21S***** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 52 DE 9A 07 23 31 R...#1 Lance Spitzner http://www.enteract.com/~lspitz/papers.html